[ome-users] LDAP : Path does not chain with any of the trust anchors
Mason, David [dnmason]
D.N.Mason at liverpool.ac.uk
Mon Sep 18 12:14:46 BST 2017
With the 5.3.4 update, I finally managed to find some time to fix this issue. Unfortunately, I still have no idea why this stopped working, but the following steps fixed the problem (despite not fixing the problem a month ago).
rm /home/username/.keystore
sudo openssl s_client -connect ldap.example.com:636 -prexit < /dev/null | openssl x509 -outform PEM | keytool -import -alias ldap -storepass securepassword -keystore /home/username/.keystore -noprompt
keytool -import -alias ldap2 -keystore /home/username/.keystore -file ~/certificate.cer
omero admin restart
In doing so, I also reverted to a round-robin LDAP server, which may revert my previous issue (https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7598), but I've not (yet) seen any simple bind failures.
________________________________
From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf of Mason, David [dnmason] <D.N.Mason at liverpool.ac.uk>
Sent: 14 August 2017 08:52:47
To: OME User Support List
Subject: Re: [ome-users] LDAP : Path does not chain with any of the trust anchors
Hoping to make some time for it this week, as I've now been issued a new certificate.
Thanks for checking in, will post back with results.
Dave
________________________________
From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf of Josh Moore <josh at glencoesoftware.com>
Sent: 10 August 2017 14:08:23
To: OME User Support List
Subject: Re: [ome-users] LDAP : Path does not chain with any of the trust anchors
Hi Dave,
On Mon, Jul 31, 2017 at 3:27 PM, Mason, David [dnmason]
<D.N.Mason at liverpool.ac.uk> wrote:
> Hi Kenny,
>
> Thanks for the clarification wrt LDAP/local users.
>
> I agree with you that there is something messing up the secure LDAP query.
> For the time being, I've dropped back to ldap instead of ldaps and at least
> users can access their data.
Did you have success getting back to LDAPS?
Cheers,
~Josh.
> Best,
> Dave
>
>
> Date: Wed, 26 Jul 2017 15:17:27 +0000
> From: "Kenneth Gillen (Staff)" <k.h.gillen at dundee.ac.uk>
> To: OME User Support List <ome-users at lists.openmicroscopy.org.uk>
> Subject: Re: [ome-users] LDAP : Path does not chain with any of the
> trust anchors
> Message-ID: <D59E5885.86006%k.h.gillen at dundee.ac.uk>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Dave,
>
> I?ll start, but I?m sure others in the community will be able to add more.
>
>>1) Any thoughts on why this might happen (my IT department say nothing
>>has changed on their side - and in fairness my other LDAP calls work - ie
>>on another server)
>
> I?d have guessed at some certificate expiry in the chain, but if they?re
> sure nothing changed, we?ll have to work through the certs anyway.
>
> The first thing I?d do would be to verify what certificate you need
> to install to communicate with the LDAP server, and make sure it?s added
>
> to a java keystore which OMERO can access. [1], [2].
>
> You can use `ldapsearch` on the command line to verify access to the
> directory, [3], [4]
>
>
>>2) I tried setting [omero.ldap.config=false] hoping that the logins would
>>fall back to the cached database but I get the same error on login. Is
>>this expected behaviour?
>
> Yes, this is expected. I would set `omero.ldap.config=false` when I wanted
> to disable LDAP auth for testing, and use local OMERO users instead. I use
> local OMERO credentials when that setting is false, for accounts which
> would otherwise be ldap accounts, rather than any cached credentials.
>
> [1]
> https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap
> -over-ssl
> [2]
> https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#
> java-key-and-truststores
> [3]
> https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and
> -sasl.html
> [4] https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348
>
> All the best,
>
> Kenny
>
> --
>
> Kenneth Gillen
>
> OME System Administrator
>
> Wellcome Trust Centre for Gene Regulation & Expression
> School of Life Sciences
> CTIR 2
> University of Dundee
> Dow Street
> Dundee DD1 5EH
> United Kingdom
>
> Tel: +44 (0) 1382 388797
>
>
> http://www.twitter.com/openmicroscopy
>
>
>
>
>
> From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf
> of "Mason, David [dnmason]" <D.N.Mason at liverpool.ac.uk>
> Reply-To: OME User Support List <ome-users at lists.openmicroscopy.org.uk>
> Date: Wednesday, 26 July 2017 14:17
> To: "ome-users at lists.openmicroscopy.org.uk"
> <ome-users at lists.openmicroscopy.org.uk>
> Subject: [ome-users] LDAP : Path does not chain with any of the trust
> anchors
>
>
> Hello List,
>
> I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server
> authenticating with LDAP. Just last week, an LDAP user noticed that they
> couldn't log in (Error user-side is
> "Error: Connection not available, please check your user name and
> password.". I checked the logs and I'm getting the following bind failure:
>
> 2017-07-24 10:56:38,787 ERROR [ o.s.blitz.fire.PermissionsVerifierI]
> (erver-2819) Exception thrown while checking password for:[myUserName]
> ome.conditions.InternalException: Wrapped Exception:
> (org.springframework.ldap.CommunicationException):
>
> simple bind failed: [myServer]:636; nested exception is
> javax.naming.CommunicationException: simple bind failed:
> [myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: Path does not chain with
> any of the trust anchors]
>
> Local users can still log in (same with Public), but LDAP is failing for a
> reason unbeknown to me.
>
> Two questions:
> 1) Any thoughts on why this might happen (my IT department say nothing has
> changed on their side - and in fairness my other LDAP calls work - ie on
> another server)
> 2) I tried setting [omero.ldap.config=false] hoping that the logins would
> fall back to the cached database but I get the same error on login. Is
> this expected behaviour?
>
> Any thoughts appreciated,
>
> Dave
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
>
>
>
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>
_______________________________________________
ome-users mailing list
ome-users at lists.openmicroscopy.org.uk
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20170918/5a34b4ff/attachment.html>
More information about the ome-users
mailing list